Latest Consumer Reports study identifies most hackable Smart TVs

There is a saying in the information security (infosec) industry that anything connected to a network can be hacked. Now, new data from Consumer Reports (CR) reveals that internet-connected Smart TVs can serve as prime examples, since millions of them can be controlled quite easily by hackers who can exploit a number of easy-to-find security flaws.

This is based on the results of a series of tests conducted to find out which smart TVs are vulnerable to security attacks. According to CR, the problems they found affect smart TVs from Samsung, TCL, and a few other brands that run a third-party smart TV platform from Roku TV. Streaming devices like the Roku Ultra were also noted as vulnerable.

How exactly did CR arrive at their conclusions? First, they looked at the historical data available on smart TVs. For a number of years, it seemed like smart TV manufacturers kept running into one type of trouble after another regarding security and vulnerability to hacking, as well as routine violations of user privacy.

All in all, CR tested a total of five different smart TVs from the most widely sold TV brands in the U.S., which they sourced through regular retail outlets. This means that the results they gathered at the end of their tests apply to every single retail unit available on the market – which could end up in your home.

In order to conduct their tests, CR used their new Digital Standard, which they co-developed with partner cybersecurity and privacy firms with the aim of setting expectations for how manufacturers ought to handle digital rights, privacy, and security concerns. The goal, according to CR, is to educate consumers on their privacy and security options as well as to influence manufacturers to take the identified issues into consideration when they develop their products.

According to Maria Rerecich, who is tasked with overseeing electronics testing at the CR offices, CR’s methods are applicable to all sorts of electronic digital appliances. “The Digital Standard can be used to evaluate many products that collect data and connect to the Internet,” she said. “But smart TVs were a natural place to start. These sets are growing in popularity, and they can transmit a remarkable amount of information about their users back to the TV manufacturers and their business partners.”

Rerecich made it clear that in conducting their security tests, they merely wanted to see if basic security practices were covered by the TV manufacturers. “We were just looking for good security practices,” she explained. “Encryption of personal or sensitive data, protection from common vulnerabilities, that sort of thing.”

What they found was that current models of Samsung and TCL smart TVs are vulnerable to remote hacking attacks that could turn the volume up or down, change the channels at will, open pretty much any video on YouTube, or even remove them from Wi-Fi networks they are connected to. Although none of them are supposed to happen, they are mainly annoying instead of seriously harmful.

CR noted in its report that the exploits they uncovered didn’t allow the extraction of information from the smart TVs or even check out what kind of content was being played on them in real time. They likened the way they accessed the smart TV features through the exploits as “like someone using a remote control with their eyes closed.” However, to people using the smart TVs unable to understand what’s happening, it might be rather creepy, “as though an intruder were lurking nearby or spying on you through the set,” said CR.

The report just scratches the surface of how vulnerable network-connected smart TVs can be. CR pointed to the pre-installed application programming interfaces (APIs) used in the TV sets – particularly those running Roku TV’s smart TV platform – as the reason why the exploits were possible. As Eason Goodale, a software engineer involved in the project, notes, “Roku devices have a totally unsecured remote control API enabled by default.” It could be fixed through a simple software update, as Samsung intends to do, but it’s something that isn’t supposed to happen in the first place.